Experimental Quantum Private Queries with linear optics 
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The Quantum Private Query is a quantum cryptographic protocol to recover information from a 
database, preserving both user and data privacy: the user can test whether someone has retained in- 
formation on which query was asked, and the database provider can test the quantity of information 
released. Here we introduce a new variant Quantum Private Query algorithm which admits a simple 
linear optical implementation: it employs the photon's momentum (or time slot) as address qubits 
and its polarization as bus qubit. A proof-of- principle experimental realization is implemented. 

PACS numbers: 03.67.-a,03.67.Lx,03.67.Dd 
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Quantum information technology has matured espe- 
cially in the field of cryptography. Two distant parties 
can exploit quantum effects, such as entanglement, to 
communicate in a provably secure fashion. An interest- 
ing cryptographic primitive is the Symmetrically-Private 
Information Retrieval (SPIR) [Q: it allows a user (say Al- 
ice) to recover an element from a database in possession 
of a provider (say Bob), without revealing which element 
was recovered (user privacy). At the same time it allows 
Bob to limit the total amount of information that Alice 
receives (data privacy). Since user and data privacy ap- 
pear to be conflicting requirements, all existing classical 
protocols rely on constraining the resources accessible by 
the two parties j2j. However, using quantum effects, such 
constraints can be dropped: the Quantum Private Query 
(QPQ) Q is a quantum-cryptographic protocol that im- 
plements a cheat-sensitive SPIR. User privacy is indi- 
rectly enforced by allowing Alice to test the honesty of 
Bob: she can perform a quantum test to find out whether 
he is retaining any information on her queries, in which 
case Bob would disturb the states Alice is transmitting 
and she has some probability of detecting it [Q. Data 
privacy is strictly enforced since the number of bits that 
Alice and Bob exchange is too small to convey more than 
at most two database items. 

In this paper we present an optical scheme to carry out 
a variant of the QPQ protocol. In contrast to the orig- 
inal proposal of ||], it does not require a quantum ran- 
dom access memory (qRAM) Q and can be implemented 
with linear optics, i.e. current technology, but it has 
sub-optimal communication complexity. The qRAM's 
absence implies that the binary-to-unary translation to 
route Alice's query to the appropriate database memory 
element must be performed by Alice herself. Thus Alice 
and Bob must be connected by a number of communi- 
cation channels equal to the number N of database ele- 
ments (although O(logA^) would suffice with a qRAM). 
We present two conceptually equivalent QPQ implemen- 



tations: in the first (more suited to explanatory purposes 
and proof-of-principle tests) each channel is a spatial op- 
tical mode, in the second (more suited to practical ap- 
plications) it is a time slot in a fiber ||, |^. The paper 
focuses mostly on the former implementation for which 
we provide an experimental test. For this setup we also 
consider the case in which Alice entangles her queries 
with ancillary systems that she keeps in her lab. With 
this choice the user privacy can only be enhanced with 
respect to original scheme |^ as Bob has only limited 
access to the states which encode Alice's queries. 

We start with a description of the new scheme, focusing 
on how user and data privacy can be tested. Then we 
describe its experimental implementation, and conclude 
with the time-slot implementation. 

The scheme. The optical QPQ scheme is sketched 
in Fig. |l|(a). Bob controls an iV-element database, where 
each element j is associated to a spatial optical mode 
and consists of one bit Aj of classical information. The 
bit Aj = 1 (0) is encoded into the presence (absence) 
of a half-wave plate Bp^ in the jth mode (it rotates the 
polarization by 90°). Alice probes this system with sin- 
gle photons either in one mode or in a superposition of 
modes. To recover the database element Aj, Alice sends 
to Bob a single horizontally polarized photon H in the 
mode j, i.e. the state \Pj) = \H)j- see Fig. 0(b). Bob 
employs the photon's polarization as a "bus" qubit to 
communicate the query result: vertical V if Aj = 1, or 
horizontal H if Aj = 0. Namely, his transformation is 
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This exchange is clearly not private. To attain cheat 
sensitivity, Alice must randomly alternate two different 
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FIG. 1: a) Overview of the experiment. Alice at the query- 
preparation stage routes a single photon to the appropriate 
spatial modes, where Bob's database are stored in an array of 
polarization rotators Bpr- b) Alice's query preparation stage. 
A set of half-wave plates and polarizing beam splitters route 
the photon into the spatial mode j chosen by Alice. She also 
chooses whether to send a "superposed" query (see c) or a 
"plain" query (see d). c) If she chose a superimposed query 
\Sj), Alice performs the honesty test through an interference 
experiment in the j-th mode, d) Instead, if she chose a plain 
query \Pj), she performs a polarization measurement on the 
photon to recover the value of Aj. 



where the j-th mode is entangled with an ancillary spa- 
tial mode ja, and where |0) is the vacuum state. Ac- 
cording to original proposal ja should be identified 
with one (say the first) of the N spatial modes of the 
system, whose associated database entry is initialized in 
a known fiduciary value Aj^ = 0. With this choice ja will 
play the role of the rhetoric query of the original QPQ 
scheme whose user privacy has been formally proved in 
Ref. Q. Here however we follow an alternative strategy 
which guarantees user privacy levels which are at least 
as good as the original scheme and which can be easily 
realized in the spatial mode implementation. Namely, as 
shown in Fig. |](a), the ja's will be identified with ex- 
tra modes that Alice keeps in her lab. With this choice 
Alice privacy can only increase with respect to the origi- 
nal scheme as Bob does not have access to the complete 
quantum system (^) — his cheating operations can only 
act on the subsystem that Alice has sent him while the 
QPQ security proof [Q assumes he can act on the full 
state system. To prepare such input state Alice simply 
shines an H polarized photon onto a 50% beam-splitter 
sending one of the emerging beams to Bob and keeping 
the other in her lab as shown in Fig. 0(c). After hav- 
ing crossed Bob's lab (in the absence of cheating), the 
superposed query is evolved into 
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The two types of queries \Pj) and \Sj) must be submitted 
in random order and one at a time (i.e. she must wait for 
Bob's first reply before sending him the second query): 



if Bob received both queries at the same time, he could 
cheat undetected with a joint measurement 

The random alternation of plain and superposed 
queries allows Alice to test Bob's honesty. Indeed, since 
he does not know whether her photon is in the state \Pj) 
or \Sj), if Bob measures its position he risks collapsing 
the superposed query \Sj), and Alice can easily find it 
out. In fact, she can first obtain the value of through 
a polarization readout from |P°"*) - see Fig. |l](d). She 
can then use this value to prepare a projective measure- 
ment that tests whether the superposed query \Sj) has 
been preserved or collapsed (honesty test), i.e. a mea- 
surement that tests if the answer associated with \Sj) 
has been collapsed into the subspace orthogonal to the 
expected output jS*""*). [As explained in more detail in 
the next section, this essentially amounts to the inter- 
ferometric measurement of Fig. 0(c).] If this happened, 
she can confidently conclude that Bob has cheated. If this 
has not happened she cannot conclude anything: a cheat- 
ing Bob still has some probability of passing the test. For 
instance, assume that Bob uses a measure-and-reprepare 
strategy on one of the two queries, he will be caught 
only with probability 1/4. Anyhow, whatever cheating 
strategy Bob may employ, the probability of passing the 
honesty test is bounded by the information he retains on 
Alice's query Q: he can pass the test with certainty if 
and only if he does not retain any information from her. 

Readout and honesty test. Before proceeding, we 
analyze in more detail Alice's measurements. Consider 
first the case in which Alice first sends the plain query 
\Pj) and then the superposed query \Sj). In this case, 
she recovers Aj with the polarization measurement of 
Fig. |l|(d). Then, before sending the second query \Sj), 
she sets up an interferometer which couples the ancil- 
lary mode ja with the output of the mode j as shown 
in Fig. 1(c), where the polarization rotator Ap^ is used 
to compensate the rotation induced by Bob's database, 
determined by the value of Aj that she previously recov- 
ered. Therefore, if Bob has not cheated, the state in the 
interferometer just before the second beam splitter is \Sj) 
so that the "don't know" detector Dq must fire and the 
"cheat" detector Di cannot fire. If the "cheat" detector 
Di does fire, Alice knows that Bob must have cheated. 

Consider now the case in which Alice sends first the 
superposed query \Sj) and then the plain query \Pj). In 
order to perform the honesty test, she must first recover 
the value of Aj. So she needs to store the answer to 
the superposed query 15°"*) until the answer to the plain 
query IPj"**) arrives, from which Aj can be measured. It 
requires a quantum memory |^ and a fast feed-forward 
mechanism |^ to prepare the honesty test measurement 
depending on the value of Aj. Achieving this is possi- 
ble, but demanding. The same goal is reached with a 
less efficient but much simpler strategy. Alice chooses a 
random value A^^' in place of Aj. She then performs 
the interferometric measurement of Fig. 0(c) inserting or 
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not the polarization rotator Apr depending on the value 
of A'^^-' . This interferometer is then a projector on the 
state 1^]^"^^^)) ^ (|A(«)),|0),„ + \0),\H),J/V2. Later, 
when she receives the output of the plain query 
she finds out the value of Aj . If she had picked the right 
value A^-'^^ = Aj, she will know that her first measure- 
ment was a valid honesty test since \S°"*) = \Sj^"'^^^^). 
Otherwise, if A^^^ ^ Aj , then the result of her honesty 
test is useless and she must discard it. Since Alice chooses 
^(^J) = with probability 1/2, she performs the hon- 
esty test only on half of the transactions. This reduces 
her probability of discovering a cheating Bob, but not by 
a huge amount. For instance, in the example analyzed 
above, the probability is reduced from 1/4 to 3/16. As 
before, Bob passes the honesty test with probability 1 if 
and only if he does not cheat. 

Let us now briefly summarize the protocol. 1) Alice 
randomly chooses one of the two scenarios: either send 
first the plain query \Pj) and then the superposed query 
\Sj), or viceversa. 2a) In the first case, she recovers Aj 
from Bob's first reply and uses it to prepare the honesty 
test to use on his second reply. 2b) In the second case, she 
chooses a random bit A'-^'^ and prepares the honesty test 
using it in place of Aj. Then she performs the honesty 
test on Bob's first reply. When Aj becomes available 
later (from Bob's second reply), she finds out whether 
the honesty test result was meaningful (if Aj = A^^^ ) or 
not (if Aj ^ A(^)). 3) If the honesty test was meaningful 
and it has failed, she can conclude that Bob has cheated. 

Data privacy. In the original QPQ protocol data 
privacy was ensured by the fact that only a limited num- 
ber of qubits were exchanged between Alice and Bob: 
she had to send (and receive) a sequence of O(logA^) 
qubits to specify the address of the j th element. In 
contrast, in this version of the protocol Alice has direct 
access to all the entries of Bob's database through the 
N optical modes. She can then violate data privacy and 
recover multiple elements of Bob's database by sending 
many photons, one per mode. Theoretically, Bob can foil 
Alice by performing a joint measurement on the N spatial 
modes that discriminates the subspace with zero or one 
photon from the rest. If he finds that the modes jointly 
contain more than one photon, he knows that Alice is 
trying to violate the data privacy, and stops the commu- 
nication. If, instead, he finds that Alice is sending no 
more than one photon per query, he can be sure that she 
is recovering no more than one bit per transaction. 

Unfortunately, the above measurement is practically 
unfeasible. An alternative solution which is feasible, al- 
though less efficient, is the following. After Alice has 
sent her first photon into his lab. Bob blocks the ac- 
cess to the database and partitions it into X equal parts 
Pi, P2, • • • 7 Px containing N/X random entries each. He 
then communicates to Alice the composition of the parti- 
tions asking to reveal log2 X bits on her query to indicate 



which of the Pf's contains the database entry she is in- 
terested in (the fact that Alice has to reveal some bits 
should not be seen as a breach of the user privacy, since 
this is a (small) fixed quantity which is independent on 
the database size). Bob now can perform a local pho- 
todetection on each of the modes of the X — 1 partitions 
which according to Alice do not contain the message she 
is looking for. If he finds any photons there, he knows for 
sure that Alice has cheated and stops the communication. 
If he does not, he cannot conclude that Alice has cheated 
and allows her to complete her query sending the second 
photon, for which the above procedure is repeated. 

As in the case of user privacy, the data privacy is thus 
enforced by means of a probabilistic, non conclusive hon- 
esty test. In particular there is a tradeoff: the more bits 
Alice reveals on her query, the higher is the probabil- 
ity that Bob will be able to find out if she is cheating. 
For instance, consider the case in which Alice tries to re- 
cover some extra bits from the database by sending t ^ 1 
photons per transmitted signal. Assuming random en- 
codings, the probability that all of them will be found 
in the same subset of the database partition can be es- 
timated as X{l/Xy = {l/Xy-^. This is the only case 
in which Alice can safely pass Bob's honesty test. In all 
remaining cases at least one of the t photons will belong 
to one of the subsets on which Bob performs his pho- 
todetections. Alice's probability of being caught is thus 
equal to P = 1 — (l/AT)*"^, which increases both with the 
number (t—l) of cheating photons and with the number 
log2 X of bits she reveals to Bob - see Fig. |[ The gating 
is also fundamental: Bob must open the access to the 
database only during the transit time of Alice's photons, 
prompted by a trigger signal. Otherwise, she can cheat 
sending photons at other times. Similar expedients are 
usually adopted in plug-&-play cryptographic schemes to 
avoid Trojan horse attacks ||l^. These parts of the pro- 
tocol are important only if data privacy is an issue. As 
done in the experiment below, it can be omitted when 
only user privacy is important. 

Experimental results. In order to perform a proof- 
of-principle experiment, we have to show that Alice can 
recover the value of each database element, and that she 
can detect Bob's cheats. The single photon is created 
by starting from a biphoton generated through sponta- 
neous parametric downconversion and using one of the 
two component photons as a trigger. A sequence of half- 
wave plates and polarizing beam splitters allows Alice to 
choose the mode j (i.e. the database element) she wants 
to access with her H polarized photon - see Fig. |](b). In 
the experiment we employed A'^ = 3 modes. A standard 
polarization analysis setup and single photon detectors 
implement the reading process of Fig. |l|(d) performed by 
Alice. In Table |-(a) we report the experimental results 
for the preparation and measurement of each query \Pj) 
{j — 1, • • • ,3), giving the outcome fidelity for each ele- 
ment in the database. 
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FIG. 2: Left: Experimental fidelity values (dots) for different 
time delays introduced in the interferometer, which simulate 
the effects of different cheating attacks by Bob (large values of 
the temporal delay correspond to larger disturbances, i.e. to a 
larger information capture by Bob) . The upper curve is the fit 
for the probability that Alice's "don't know" detector Do fires 
during the honesty test, the lower curve refers to probability 
that Alice's "cheat" detector Di fires. The fit function is 
Gaussian due to the spectral and temporal profile of the single 
photon state. Right: Theoretical curve representing the data 
privacy P = 1 — (1/X)'~^ as a function of the bits log2 X 
Alice reveals to Bob and of the photons t she uses to cheat. 



The characterization of the honesty test follows. Alice 
must be able to move the interferometer of Fig. |l|(c) to 
the mode j corresponding to the question she wants to 
ask. We have implemented this using a Jamin-Lebedeff 
interferometer, which is quite compact, easy movable. 

In the first part 



and leads to a high phase stability 1 1 1 
of Table §-(b) we characterize Alice's honesty test when 
Bob is not cheating. To cheat. Bob may introduce a 
beam splitter in each mode and place a detector at the 
beam splitter output port. When he detects a photon 
in a mode j, he recreates a photon there. To simulate 
this cheating attack, we introduced a variable time delay 
in each mode. A delay larger than the photon's coher- 
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TABLE I: (a) Experimental values of the fidelity of Alice's 
measurement of each of the three elements of Bob's database. 
The measurement is performed by sending queries of the form 
\Pj), and measuring the output polarization — see Fig. ^(d). 
(b) Comparison between theoretical (th.) and experimen- 
tal (exp.) fidelities of Alice's honesty test of Fig. [Uc). The 
discrepancy with theory is due to unbalancement of the inter- 
ferometer and slight misalignment. 



ence length simulates a "measure-and-reprepare" cheat 
(i.e. zero beam splitter transmissivity) . Shorter delays 
simulate a milder cheat (i.e. nonzero beam splitter trans- 
missivities) . This was implemented by inserting quartz 
plates of varying thickness in Bob's arm of the interfer- 
ometer. In Tabic ^(b) and in Fig. ^ Alice's honesty test 
is characterized also in the presence of cheating. 

Time-slot implementation. We now describe a dif- 
ferent implementation of the scheme, based on 0. To 
each database element j we associate a unique time slot 
in an optical fiber: Alice places her query photon in the 
jth slot (i.e. the state \Pj)) if she wants to access Aj. 
Bob's database is encoded into a time dependent polar- 
ization rotator: in the jth time slot the polarization is 
rotated only if Aj = 1. To create the superposed \Sj) 
query, Alice places her photon in a superposition of two 
time slots Q. This is achieved by sending it through 
a 50% beam splitter, at the two outputs of which she 
places a long and a short fiber. The length difference of 
the fibers corresponds to a delay proportional to j. The 
signals from the two fibers are then joined into a sin- 
gle fiber through an optical switch |^. The same device 
(used in reverse) is used as cheat test on the superposed 
signal returning from Bob: the optical switch sends the 
first pulse through the long fiber and the second through 
the short fiber, so that they interfere at the beam split- 
ter. The photon then exits at one of the two "cheat" or 
"don't know" ports of the beam splitter. It is simple to 
see that this implementation is conceptually equivalent 
to the previous one, but it is more suited to the case in 
which Alice and Bob are far apart, as this procedure has 
been tested experimentally with interferometers of many 
Km in length 0, Our protocol can be easily scaled 
up considerably since the resources scale only linearly 
with the number of database elements. The number of 
database elements is ultimately limited only by the time- 
dependent noise the photons encounter along the fiber. 
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